Re: WWW Security Hole

William M. Perry ([email protected])
Thu, 12 Aug 1993 15:33:14 -0500


Thus wrote:

>>The gopher URL will still let you send almost any single line of
>>text to any port on any machine, but you have to allow that if you
>>want to talk gopher.
>
>I'm not sure I understand the problem. Telnet will let you send a
>single line of text to any port on any machine. If if your telnet
>won't, it's trivial to do it yourself with a few lines of C code (or
>perl, I guess)

Well, the point is that other people, who might not know they are
sending the mail, will send it automatically by retrieving this
document. And they won't receive any notification that they did -
until mr Root comes knocking on his door.

This came up when people were discussing the generic
telnet://host:port/somestring, but I guess nobody realized gopher
could be used to do the same thing.

If someone has to go to all this trouble just to forge mail he
wants to send, he should be shot. But the point is not for you to
send the mail, but for hundreds of people to uniwittingly send the
mail, and they can't say they didn't send it - THEY DID.

Imagine if I put this in the home page for IU - we have received >
6000 requests since tuesday - that would have been quite a few
messages sent off to root, at the users machine. Not a good
situation.

I think the suggestion of checking the port # before doing a
request is a good idea. Ones to watch would be 25(smtp), 119
(usenet), 110 (pop) - any others?

I think I'll implement this in my emacs browser after my operating
systems test. :)

-Bill P.